Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Mozilla Thunderbird : Remote Code Execution & Denial of Service
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Wed, 22 Feb 2006 22:32:53 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
tu dois vraiment avoir rien à faire pour chercher des bugs dans une
version perimée , loul :->

Renaud Lifchitz wrote:
Mozilla Thunderbird : Remote Code Execution & Denial of Service

//----- Advisory


Program          : Mozilla Thunderbird Homepage         :
http://www.mozilla.com/thunderbird/ Tested version   : <= 1.0.7
Found by         : nono2357 at sysdream dot com This advisory    :
nono2357 at sysdream dot com Discovery date   : 2006/01/28


//----- Application description


Full-Featured Email

Simple to use, powerful, and customizable, Thunderbird is a
full-featured email application. Thunderbird supports IMAP and POP
mail protocols, as well as HTML mail formatting. Easily import your
existing email accounts and messages. Built-in RSS capabilities,
powerful quick search, spell check as you type, global inbox,
deleting attachments and advanced message filtering round out
Thunderbird's modern feature set.


//----- Description of vulnerability


Thunderbird's WYSIWYG rendering engine insufficiently filters
javascript scripts. It is possible to write javascript in the SRC
attribute of the IFRAME tag. This leads to execution when the email
is edited (for instance when replying to the email), even if
javascript is disabled in the preferences.


//----- Proof Of Concept


* Javascript execution :

<html> <body> <iframe src="javascript:alert('Found by
www.sysdream.com !')"></iframe> </body> </html>

* Denial of service (application crash) :

<html> <body> <iframe src="javascript:parent.document.write('Found
by www.sysdream.com !')"></iframe> </body> </html>


//----- Solution


Upgrade to version 1.5.

Download page : http://www.mozilla.com/thunderbird/all.html Direct
link :
http://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/1.5/


//----- Impact


Successful exploitation may lead to information disclosure
(application version, platform, user emails, user preferences, ...)
or could crash the application.


//----- Credits


http://www.sysdream.com nono2357 at sysdream dot com


//----- Greetings


crashfr & the hackademy ...



_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ/zYha+LRXunxpxfAQLVJw/9ElEn3ACHtmNK07X5dQLWaV7Sj1bSg9TF
i6eyhrvjFoqHRDFL+ZKPGS6Z9xSRV6SQ8fMruOwBHXaagcxyBFmPbtWA6OzUfYI3
sJKYWZiH0pEvdH9l5H5ZkxBrSZQ8mI+nKjR0D1thPSHPu0sNR5Oj+b4438SPoUif
0ZLN1UyxEIIPUS8pS42Bv2k6JKHl8cZ8q5D4k49u0gVP+Y0Gdz9D5w3mEDYbgSFC
ROtIPuL9ARLN0MUeHYGIMhOfZefz5qP0GweNZDuK8dcJ9pyCc5gIvGeAK+Sa0cJ/
AY23GNwJQvcV3SRGfDaXergznAU5lg8NXq27z7wUzj/hmj11SS9rABLnKDFGZRj5
draGKg433VOCKJYwG7xH2xRkPrZOh4gbwn2/GLVU82702AsBsiWP5IRlGJ9K4uY0
A7pTgfBMGAgwcoouIqTxgrZd0pQPxgJ28TYg1DgdfACMp6wmU+8iWTKkivXcJIaT
Qu33F+wZwS9jEE7ID3D14QCqlPfNg1drVpY3m/G6M08bCnxe1hyEOAIG141HIJUN
gycXz4pNIP9gS6GhhG0epZKkIstYRjDOwwMFmu1MaR/O6u/wwX/gzED6S3LooVi1
OVmbpbwy3+Hv+mxcftomQcXUwv1lDMWlz2vjWDwdx9dpLlTvZI15CVk/jabUIEjL
Tjzxv9mQu5w=
=jhOg
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault